request objects should have iat and exp
There doesn't seem to be anything in FAPI part 2 that requires request objects to have iat and exp fields.
I believe this would allow an attacker to replay authorisation requests much later on. I'm not sure that's desirable.
Should we be mandating iat & exp?
Comments (10)
-
-
- changed status to open
Aug 1 callers felt that
exp
should be enforced.iat
should be allowed. -
-
assigned issue to
Torsten to create a pull request. * shall for exp;
-
assigned issue to
-
- changed milestone to 2nd Implementers Draft
-
-
assigned issue to
please review pull request
-
assigned issue to
-
- changed status to resolved
Fixes
#152. Merged in 152-request-objects-should-have-iat-and-exp (pull request #62)Financial_API_WD_002.md edited online with Bitbucket
→ <<cset 1e334d6bc786>>
-
Merged in josephheenan/fapi/avoid-clause-renumbering (pull request #66) to fix
#162and fix#152.Explicitly disallowed client_secret_jwt (
#162) + update fix for#152so that the spec clauses aren't renumberedApproved-by: Nat Sakimura sakimura@gmail.com
→ <<cset 1d66ccb37423>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
@Nat It may also make sense to discuss potential replay risks in the upstream JAR spec:
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-16